A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) Senators Question Rumsfeld on Privacy Act Violations in JetBlue Case
(2) Background on the Sharing of Commercial Flight Passenger Data with the US Army
(3) FTC, DHS Privacy Officer Investigating
(4) JetBlue Case Illustrates Ongoing Concerns with Commercial Data
In the latest reaction to airline JetBlue's disclosure of passenger records to the Army, Senators Joseph Lieberman (D-CT), Susan Collins (R-ME), and Carl Levin (D-MI) called on Defense Secretary Donald Rumsfeld to investigate whether the Army violated the Privacy Act by not informing the public of the collection of data from JetBlue Airlines and other sources.
Under the Privacy Act, new government databases generally cannot be created in secret. CDT believes that the Army should have issued a public notice that it was acquiring airline passenger records. That would have given members of the public and Congress an opportunity to ask why.
The Army and JetBlue have defended their secrecy by arguing that the government never acquired the data -- JetBlue turned it over to an Army contractor, Torch Concepts. However, Section (m) of the Privacy Act states that the requirements of the Act apply even when the government contracts out data collection or analysis to a private company. The senators are asking the Army a series of questions, including how the access to JetBlue data was relevant to the Army's mission.
Lieberman/Collins/Warner/Levin Letter to Secretary Rumsfeld: http://www.cdt.org/privacy/031017rumsfeld.pdf
In September, JetBlue confirmed reports that it had violated its privacy policy by sharing passenger information, including names, addresses, phone numbers and itineraries, with Torch Concepts, a contractor for the US Army working on military base security systems.
Torch Concepts used the passenger information to populate a prototype database. Torch then used data aggregator Acxiom Corporation to authenticate the identities of passengers and to add to each record more personal details such as public record information. Few details have been made public about the project, but Torch Concepts had been promoting it and posted a PowerPoint presentation describing its work that included detailed information about a specific passenger (without the passenger's name).
It is believed that the Transportation Security Administration (TSA), then housed at the Department of Transportation but since moved to the Homeland Security Department, facilitated the arrangement between JetBlue and the Army's contractor. Early reports speculated that the passenger information was being used for the Computer Assisted Passenger Pre-Screening System (CAPPS II), but it now appears that the effort was unrelated to airline security and that TSA and TSA contractors never received the information in question.
Wired story, 9/23/03, "Army Admits Using JetBlue Data": http://www.wired.com/news/privacy/0,1848,60540,00.html
New York Times Editorial, 9/23/03, "Betraying One's Passengers" (subscription required): http://www.nytimes.com/2003/09/23/opinion/23TUE2.htm
The Federal Trade Commission has confirmed that it is investigating JetBlue's actions in the incident based on a complaint filed by privacy groups.
On September 22, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission. The complaint charges that JetBlue violated its own privacy policy, which would considered a deceptive practice under the Federal Trade Commission Act. The complaint also calls Acxiom's practice of providing personal information to Torch without consumer notice or consent an unfair practice under the Act. The Commission has acknowledged that it is investigating JetBlue based on the complaint.
EPIC Complaint: http://www.epic.org/privacy/airtravel/profiling/jetblue/ftccomplaint.html
Nuala O'Connor Kelly, Chief Privacy Officer for the Department of Homeland Security, has also announced that she plans to investigate any role that the Transportation Security Administration may have played in the incident.
The DHS Chief Privacy Officer position was created by Congress in the Department of Homeland Security Act. Kelly has said publicly that she would like to be seen as having some independence to work within the agency. This investigation will test the amount of independence and influence that she will be able to exercise.
The JetBlue case suggests how widespread is the government's current use of commercial data. While many were focused on DARPA's Total Information Awareness program and CAPPS II, no one had even guessed that the Army was testing whether it could mine airline passenger lists looking for terrorists. The case gives heightened urgency to legislation introduced by Sen Ron Wyden (D-OR), which would require all government agencies to report publicly on their use of commercial databases for data mining. We simply do not know how many other agencies are acquiring, or using contractors to acquire, commercial databases.
The case also highlights the limitations of current privacy laws. Airlines can voluntarily disclose passenger records to the government or its contractors because there is no law protecting travel data or many other categories of electronic data. (JetBlue almost certainly violated the FTC Act by disclosing the data in violation of its posted privacy policy, but it is perfectly legal for any airline or car rental agency or merchandiser to say in its privacy policy that it provides information to the government when appropriate to assist in legitimate government functions or some similarly broad caveat.)
CDT has argued that there is a need for clear, government-wide rules on data-mining and other government uses of commercial databases. The starting point for these rules are the long-accepted Fair Information Principles of Notice, Choice, Collection Limitation, Use and Disclosure Limitation, Retention Limitation, Data Quality and Security, Access and Redress.
Wyden legislation: http://www.cdt.org//legislation/108th/wiretaps/#s1484
CDT testimony on data mining, July 22, 2003: http://www.cdt.org/testimony/030722dempsey.shtml
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_9.20.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 9.20 Copyright 2003 Center for Democracy and Technology
